This micro emulation plan targets compound behaviors related to T1055 Process Injection. Process injection is commonly abused by malware to run code in another process, often to evade defenses (i.e. execution from an otherwise benign process) as well as potentially to elevate privileges (i.e. inheriting unique privileges from the target process). There are many variations of process injection, mostly used to migrate between processes or to execute specific modules in a sacrificial process. This emulation focuses on the latter varaint.
Table Of Contents:
- Description of Emulated Behaviors
- Cyber Threat Intel / Background
- Execution Instructions / Resources
- Defensive Lessons Learned
What are we doing? This module provides an easy-to-execute tool that:
- Creates a suspended, sacrificial process (
svchost.exe,notepad.exe, orpowershell.exe) usingCreateProcess(). - Injects the sacrificial process with malicious shellcode to execute a command
(from a predefined list of local discovery commands) using
WriteProcessMemory(). - Executes the command code using
CreateRemoteThread(). - Repeats
1-3until the program is stopped. - Cleans up by ending all created processes still running.
The local discovery commands used in step 2 are used to emulate an adversary enumerating a system after initial compromise. These commands are:
whoami /groupsnetstat -anoqwinstatasklist
Why should you care? T1055 Process Injection is very commonly abused by malware to evade defenses, specifically to execute malicious code within an otherwise benign process. There are numerous variations of process injection that all typically follow the same pattern of accessing a target process, writing malicious code into its memory space, and then triggering execution of the code (typically via a thread within the victim process).
Adversaries may utilize this approach to evade defensive analysis (e.g. moving away from initial access artifacts) or to inherit specific permissions from a victim process (e.g. changing users). Similar to the Named Pipes micro emulation, malware have also used process injection as part of a "fork-n-run" pattern to execute modules using "sacrificial processes" that may not reveal/highlight the running malware process or write malicious payloads to disk.
Process injection may also be abused as part of other behaviors that involve stealing data form process memory such as dumping LSASS credentials (T1003.001 LSASS Memory).
This module has been compiled into an easy to execute/integrate executable. If you wish to customize or build from source code, please see the building document. You can also download the pre-compiled module.
The process_injection.exe tool executes the complete emulation functionality.
The tool accepts the following arguments or on the command or alternatively can
be configured using the builtin menu:
-r / -runtime:the number of seconds for the module to run-l / -logfile:the location for the module's log file
Sysmon generates event ID 10 when a process opens another process as well as event ID 8 when a process creates a thread in another process, though this data may incur a lot of noise. Consider monitoring for abnormal process activity (e.g. making network connections or performing other unusual actions, especially compared to the process's command line) that may be an indicator that a process is executing malicious code.
Processes that are injecting into others may load
DLLs/modules,
exhibit specific process access
characteristics,
as well as call
functions
(ex: CreateRemoteThread()) that can be detected. Comparing process
memory
to the images backed by files on
disk may
also highlight malicious tampering via injection.
Consider baselining environments to understand benign process injection activity
that may help highlight malicious abuse. For example, processes such as
powershell.exe may be identified as unlikely to be associated with detecting
false positive inter-process
activity.
PowerShell injecting into… anything
There’s some exceptions here—surely varying from one environment to the next—but, generally speaking, you’ll want to be wary of process access activity where PowerShell is accessing any other processes.
process == powershell.exe && handle_granted_to [any other process]
Excerpted from Red Canary's Process Injection report.
Usage of process injection may be difficult if not impossible to mitigate since the signals are also associated with benign behavior. Efforts can be focused on blocking known, detectable patterns of abuse.